[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Remote execution in pods in OpenShift v3



Could be valuable.  We probably at a lower level want to be able to efficiently check for whether an image has been modified on disk when OverlayFS lands (does container X mutate the underlying image).  It'll be hard for us to know when an image has been changed because of internal processes or external processes.

----- Original Message -----
> Is there a plan to mark a container that has been accessed via SSH with an
> attribute in the API server data model to denote that it has been
> potentially modified?
> 
> ----- Original Message -----
> From: "Clayton Coleman" <ccoleman redhat com>
> To: "David Eads" <deads redhat com>
> Cc: dev lists openshift redhat com
> Sent: Wednesday, March 18, 2015 4:21:38 PM
> Subject: Re: Remote execution in pods in OpenShift v3
> 
> Right now, and we'll add the bastion (at which point you'll be able to
> control this fine grained).
> 
> ----- Original Message -----
> > `exec` makes use of the `proxy` verb directly to a node.  By default
> > only cluster admins (we make one for you called system:admin) have the
> > power to proxy, so only cluster admins can exec into pods.
> > 
> > 
> > 
> > On Wed, 2015-03-18 at 20:00 +0100, Akram Ben Aissi wrote:
> > > That's greatly powerful !
> > > 
> > > Can we set a policy yet to allow or disallow it?
> > > 
> > > Sent from mobile
> > > 
> > > > On 18 mars 2015, at 19:51, Clayton Coleman <ccoleman redhat com> wrote:
> > > > 
> > > > Remote execution to containers and pods is now part of the 'osc'
> > > > command
> > > > - big thanks to Andy for driving that upstream in Kube and into
> > > > OpenShift.  Some examples:
> > > > 
> > > >    # get a remote shell to a pod called 'test'
> > > >    $ osc exec -itp test -- /bin/bash
> > > > 
> > > >    # list a file
> > > >    $ osc exec -p test -- ls /var/log
> > > > 
> > > >    # rsync using osc as netcat
> > > >    $ rsync -av -e 'osc exec -ip test -- /bin/bash' mylocalfolder/
> > > >    /tmp/remote/folder
> > > > 
> > > > And even SSH, using the ProxyCommand directive and SSHD's inetd support
> > > > to an image with sshd installed and the default root user having no
> > > > password.
> > > > 
> > > >    $ cat ~/.ssh/config
> > > >    Host testpod
> > > >      User root
> > > >      ProxyCommand osc exec -ip test -- /bin/bash -c "sshd-keygen &&
> > > >      $(which sshd) -o 'AuthenticationMethods password' -o
> > > >      'permitemptypasswords yes' -o 'UsePAM no' -o
> > > >      'UsePrivilegeSeparation no' -ddd -i -u 256 -E /tmp/log"
> > > > 
> > > >    $ ssh testpod
> > > >    root pod's password:
> > > >    Last login: Wed Mar 18 18:28:47 2015 from UNKNOWN
> > > >    [root test ~]# ps
> > > >      PID TTY          TIME CMD
> > > >       24 pts/0    00:00:00 bash
> > > >       77 pts/0    00:00:00 yum
> > > >      541 pts/0    00:00:00 bash
> > > >      557 pts/0    00:00:00 ps
> > > > 
> > > > There's still some edge cases around command execution we are testing
> > > > (sometimes CTRL+C can result in the tty not being reset, so you have to
> > > > run 'stty sane' or close your shell).  But hopefully you'll start
> > > > seeing
> > > > these patterns crop up so you can integrate existing tools and
> > > > workflows
> > > > into your OpenShift 3 applications.
> > > > 
> > > > _______________________________________________
> > > > dev mailing list
> > > > dev lists openshift redhat com
> > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > 
> > > _______________________________________________
> > > dev mailing list
> > > dev lists openshift redhat com
> > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > 
> > 
> > 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]